Skip to main content
Skip table of contents

Axon Data Schema Fields

The following sections describe the intended purpose for each of the fields within the Axon Data Schema.

Not all the Data Schema fields are available for assignment through Policy Builder. These fields are assigned by the Axon system as part of normal message processing. Fields that are "mappable" can be assigned within Policy Builder, whereas fields that aren't are set by Axon and cannot be changed.

Origin, Target, and Observer Fields

Account Name vs. ID vs. Email vs. UPN

Some log sources and their messages produce confusing results. There are several sources that use email addresses as their account names and others that use some type of ID. Axon’s approach to these attributes is to store them in separate fields based on their context.

User Principal Names (UPNs) are generally unique to Microsoft products. They are used in both the Windows Operating Systems and in Microsoft Azure. These should not be confused with email addresses or Account Names.

The Email fields are only relevant when the messages are describing email-related traffic. This could be message tracking, message inspection, or some other controls specifically for the email message transportation, inspection, or management contexts.

The ID field is meant to be used in conjunction with the Name field and not on its own. An Account ID is some internal identifier that the producing log source uses to track account objects. A common example is the SID value in Windows environments.

The Name field is the most used field. When a message describes an account object, it most frequently references the Name attribute. This could take many shapes, including that of an email address.

Account Fields

Field Name

Canonical ID

Description

Mappable?Data Type

Origin Account DN

origin.account.distinguished_name

The Distinguished Name associated with the Origin Account.

TrueString

Target Account DN

target.account.distinguished_name

The Distinguished Name associated with the Target Account.

TrueString

Origin Account Domain

origin.account.domain

The domain name of the Origin Account.

TrueString

Target Account Domain

target.account.domain

The domain name of the Target Account.

TrueString

Origin Account Email

origin.account.email_address

The email address of the Origin Account. The sender in any email tracking message.

TrueString

Target Account Email

target.account.email_address

The email address of the Target Account. The recipient(s) in any email tracking message.

TrueEmail

Origin Account ID

origin.account.id

A unique ID associated with the Origin Account. This is separate from the Name, UPN, and other attributes. This is represented by a SID in Windows environments.

TrueString

Target Account ID

target.account.id

A unique ID associated with the Target Account. This is separate from the Name, UPN, and other attributes. This is represented by a SID in Windows environments.

TrueString

Origin Account Name

origin.account.name

The name of the Origin Account.

TrueString

Target Account Name

target.account.name

The name of the Target Account.

TrueString

Origin Account Phone

origin.account.phone

The phone number of the Origin Account.

TrueString

Target Account Phone

target.account.phone

The phone number of the Target Account.

TrueString

Origin Account UPN

origin.account.user_principal_name

The User Principal Name of the Origin Account. These are formatted like email addresses, but should not be confused as such.

TrueString

Target Account UPN

target.account.user_principal_name

The User Principal Name of the Target Account. These are formatted like email addresses, but should not be confused as such.

TrueString

Observer Account DN

observer.account.distinguished_name

The Distinguished Name associated with the Observer Account.

TrueString

Observer Account Domain

observer.account.domain

The domain name of the Observer Account.

TrueString

Observer Account Email

observer.account.email_address

The email address of the Observer Account.

TrueEmail

Observer Account ID

observer.account.id

A unique ID associated with the Observer Account. This is separate from the Name, UPN, and other attributes. This is represented by a SID in Windows environments.

TrueString

Observer Account Name

observer.account.name

The name of the Observer Account.

TrueString

Observer Account Session ID

observer.account.session.id

The ID of the session under which the Observer Account operated.

TrueString

Observer Account Session Name

observer.account.session.name

The name of the session under which the Observer Account operated.

TrueString

Observer Account Session Type

observer.account.session.type

The type of session under which the Observer Account operated.

TrueString

Observer Account UPN

observer.account.user_principal_name

The User Principal Name of the Observer Account. These are formatted like email addresses, but should not be confused as such.

TrueString
Origin Account Display Nameorigin.account.display_nameThe display name of the origin account.FalseString
Target Account Display Nametarget.account.display_nameThe display name of the target account.FalseString

Host Fields

Field Name

Canonical ID

Description

Mappable?Data Type

Origin Host DN

origin.host.distinguished_name

The Distinguished Name of the Origin Host.

TrueString

Target Host DN

target.host.distinguished_name

The Distinguished Name of the Target Host.

TrueString

Origin Host Domain

origin.host.domain.name

The domain of the Origin Host.

TrueString

Target Host Domain

target.host.domain

The domain of the Target Host.

TrueString

Origin Host ID

origin.host.id

A unique ID associated with the Origin Host.

TrueString

Target Host ID

target.host.id

A unique ID associated with the Target Host.

TrueString

Origin Host Interface Name

origin.host.interface.name

The name of the Origin Host’s Interface.

TrueString

Target Host Interface Name

target.host.interface.name

The name of the Target Host’s Interface.

TrueString

Origin Host IP

origin.host.ip_address.value

The IP Address of the Origin Host.

TrueIP

Target Host IP

target.host.ip_address.value

The IP Address of the Target Host.

TrueIP

Origin Host NAT IP

origin.host.ip_address.nat_value

The NAT IP Address of the Origin Host.

TrueIP

Target Host NAT IP

target.host.ip_address.nat_value

The NAT IP Address of the Target Host.

TrueIP

Origin Host City

origin.host.location.city

The geographic city associated with the Origin Host.

TrueString

Target Host City

target.host.location.city

The geographic city associated with the Target Host.

TrueString

Origin Host Region/State

origin.host.location.region

The geographic region or state associated with the Origin Host.

TrueString

Target Host Region/State

target.host.location.region

The geographic region or state associated with the Target Host.

TrueString

Origin Host Country

origin.host.location.country

The geographic country associated with the Origin Host.

TrueString

Target Host Country

target.host.location.country

The geographic country associated with the Target Host.

TrueString

Origin Host Geo

origin.host.location.geo_location

The geographic coordinates (latitude/longitude) associated with the Origin Host.

TrueGeo_Point

Target Host Geo

target.host.location.geo_location

The geographic coordinates (latitude/longitude) associated with the Target Host.

TrueGeo_Point

Origin Host MAC

origin.host.mac_address

The MAC Address of the Origin Host.

TrueMAC

Target Host MAC

target.host.mac_address

The MAC Address of the Target Host.

TrueMAC

Origin Host Name

origin.host.name

The name of the Origin Host.

TrueString

Target Host Name

target.host.name

The name of the Target Host.

TrueString

Origin Host IP Port

origin.host.network_port.value

The network port number used by the Origin Host.

TrueInteger

Target Host IP Port

target.host.network_port.value

The network port number used by the Target Host.

TrueInteger

Origin Host NAT IP Port

origin.host.network_port.nat_value

The NAT Network port number used by the Origin Host.

TrueInteger

Target Host NAT IP Port

target.host.network_port.nat_value

The NAT Network port number used by the Target Host.

TrueInteger

Origin Host OS Platform

origin.host.os.platform

The operating system platform of the Origin Host.

TrueString

Target Host OS Platform

target.host.os.platform

The operating system platform of the Target Host.

TrueString

Origin Host OS Version

origin.host.os.version

The version of the OS running on the Origin Host.

TrueString

Target Host OS Version

target.host.os.version

The version of the OS running on the Target Host.

TrueString

Origin Host Serial

origin.host.serial_number

The serial number of the Origin Host.

TrueString

Target Host Serial

target.host.serial_number

The serial number of the Target Host.

TrueString

Origin Host Version

origin.host.version

The version of the Origin Host.

TrueString

Target Host Version

target.host.version

The version of the Target Host.

TrueString

Observer Host DN

observer.host.distinguished_name

The distinguished name of the Observer Host.

TrueString

Observer Host Domain

observer.host.domain

The domain of the Observer Host.

TrueString

Observer Host Egress Int

observer.host.egress_interface

The interface name on the Observer Host that network traffic was sent.

TrueString

Observer Host Ingress Int

observer.host.ingress_interface

The interface name on the Observer host that network traffic was received.

TrueString

Observer Host ID

observer.host.id

A unique ID associated with the Observer Host.

TrueString

Observer Host IP

observer.host.ip_address.value

The IP address of the Observer Host.

TrueIP

Observer Host NAT IP

observer.host.ip_address.nat_value

The NAT IP address of the Observer Host.

TrueIP

Observer Host City

observer.host.location.city

The geographic city associated with the Observer Host.

TrueString

Observer Host Region/State

observer.host.location.region

The geographic region or state associated with the Observer Host.

TrueString

Observer Host Country

observer.host.location.country

The geographic country associated with the Observer Host.

TrueString

Observer Host Geo

observer.host.location.geo_location

The geographic coordinates (latitude/longitude) associated with the Observer Host.

TrueGeo_Point

Observer Host Name

observer.host.name

The name of the Observer Host.

TrueString

Observer Host OS Platform

observer.host.os.platform

The operating system platform of the Observer Host.

TrueString

Observer Host OS Version

observer.host.os.version

The version of the OS running on the Observer Host.

TrueString

Observer Host Serial

observer.host.serial_number

The serial number of the Observer Host.

TrueString

Observer Host Version

observer.host.version

The version of the Observer Host.

TrueString

Action Fields

Action fields contain data relevant to specific types of actions described by log messages. There is a set of fields that are valid across all the action types, and additional fields that are specific to certain types of actions.

General Action Fields

Field Name

Canonical ID

Description

Mappable?Data Type

Action Command Statement

action.command

Any command data, such as get, put, set, or rename, associated with the action.

TrueString

Action Duration

action.duration

The duration, in seconds, of the action.

TrueInteger

Action Message

action.message

A general message that describes the action.

TrueString

Action Repeat Count

action.repeat_count

The number of times the same message was duplicated. Some messages indicate that it was repeated a number of times.

TrueInteger

Action State

action.state

The current state of the action.

TrueString

Action Start Time

action.timestamp_start

The timestamp for when the described action started.

TrueDate

Action End Time

action.timestamp_end

The timestamp for when the described action ended.

TrueDate

Action Type

action.type

The type of action described.

TrueString

Action User Agent String

action.user_agent

The user agent string used to attempt the action described.

TrueString

Action Session ID

action.session.id

The ID of the session under which the action was performed.

TrueString

Action Session Name

action.session.name

The name of the session under which the action was performed.

TrueString

Action Session Type

action.session.type

The type of session under which the action was performed.

TrueString

Result Message

action.result.message

The full description of the result of the attempted action.

TrueString

Result Code

action.result.code

A code used by the log source to describe the result of the attempted action. Most commonly, this is an error code.

TrueString

Result Reason

action.result.reason

The reason provided by the source for the result of the attempted action.

TrueString

Aggregation Actions

Aggregation actions are performed by the Axon analytics subsystem.

Field Name

Canonical ID

Description

Mappable?Data Type

Aggregation Count

action.aggregation.count

The computed count of aggregated items.

FalseInteger

Aggregation Group

action.aggregation.key

An array of any schema fields aggregated around.

FalseString

Aggregation Group Num

action.aggregation.key_length

The length of the Group array.

FalseInteger

Aggregation ID

action.aggregation.message_id

An array of Message IDs associated with the aggregation.

FalseString

Aggregation ID Num

action.aggregation.message_id_length

The length of the ID array.

FalseInteger

Aggregation Maximum

action.aggregation.max

The computed maximum value of aggregated items.

FalseInteger

Aggregation Minimum

action.aggregation.min

The computed minimum value of aggregated items.

FalseInteger

Aggregation Sum

action.aggregation.sum

The computed sum value of aggregated items.

FalseInteger

Authentication Actions

Authentication actions describe attempts to authenticate to a system, device, or application.

Field Name

Canonical ID

Description

Mappable?Data Type

Admin Rights Status

action.authentication.admin_session

An indicator of whether an authentication attempt included administrator rights.

TrueString

Authentication Key Size

action.authentication.key_size

The size of the encryption key used in the authentication request.

TrueInteger

Authentication Method

action.authentication.authentication_method

The method used in the authentication attempt. This could include methods such as local, radius, ldap, etc.

TrueString

Authentication Package

action.authentication.authentication_package

The Microsoft Windows authentication package used by the authentication process.

TrueString

Authentication Trusted Process

action.authentication.trusted_process_name

The Microsoft Windows trusted process name used by the authentication process.

TrueString

LanMan Package

action.authentication.lm_package

The Microsoft Windows LAN Manager package used by the authentication process.

TrueString

Kerberos Encryption Type

action.authentication.kerberos.encryption_type

The cryptographic suite used by the Kerberos authentication attempt.

TrueString

Kerberos PreAuth Type

action.authentication.kerberos.preauth_type

The Kerberos PreAuth type used by the authentication attempt. These are described in RFC6113.

TrueString

Kerberos Realm

action.authentication.kerberos.realm_name

The Kerberos Realm specified in the authentication attempt. A realm is a set of managed nodes that share the same Kerberos database.

TrueString

Kerberos Ticket Options

action.authentication.kerberos.ticket_options

A 32-bit variable representing the ticket options (Forwardable, Renewable, Canonicalize, etc.) in the Kerberos ticket.

TrueString

Change Actions

Change actions describe attempts to modify or alter a policy, configuration, or setting.

Field Name

Canonical ID

Description

Mappable?Data Type

Pre-Change Value

action.change.original_value

The original value of the object or attribute before the change.

TrueString

Post-Change Value

action.change.new_value

The value of the object or attribute after the change.

TrueString

DNS Actions

DNS actions describe activities related to DNS resolution.

Field Name

Canonical ID

Description

Mappable?Data Type

DNS Query

action.dns.query

The query requested by the source. Typical queries are either a forward or reverse lookup.

TrueString

DNS Record Type

action.dns.record_type

The record type in the DNS Query. The most common is an A record query.

TrueString

DNS Result

action.dns.result

The response to the query from the DNS resolver.

TrueString

Health Actions

Health actions describe system and service health.

Field Name

Canonical ID

Description

Mappable?Data Type

Health Uptime

action.health.uptime

The time value since the system or device was started.

TrueInteger

Health Previous State

action.health.previous_state

The previous health state of the host, device, application, or component.

TrueString

Health New State

action.health.new_state

The current health state of the host, device, application, or component.

TrueString

Network Actions

Network actions describe network traffic activities.

Field Name

Canonical ID

Description

Mappable?Data Type

Network Application Name

action.network.application

The application used in the network traffic.

TrueString

Network Direction

action.network.direction

The direction indicated for the network traffic.

TrueString

Network HTTP Method

action.network.http_method

The HTTP method command documented in the message. These are defined under RFC2616.

TrueString

Network SSID

action.network.ssid

The service set identifier for the wireless network’s name.

TrueString

Network Protocol ID

action.network.protocol.id

The IANA protocol number used by the network traffic.

TrueInteger

Network Protocol Name

action.network.protocol.name

The IANA protocol name used by the network traffic.

TrueString

Packets Sent

action.network.packet_information.sent

The number of packets sent from the origin to the target during the network session.

TrueInteger

Packets Received

action.network.packet_information.received

The number of packets received by the origin from the target during the network session.

TrueInteger

Packets Total

action.network.packet_information.total

The total number of packets exchanged during the network session.

TrueInteger

Bytes Sent

action.network.byte_information.sent

The number of bytes sent from the origin to the target during the network session.

TrueInteger

Bytes Received

action.network.byte_information.received

The number of bytes received by the origin from the target during the network session.

TrueInteger

Bytes Total

action.network.byte_information.total

The total number of bytes exchanged during the network session.

TrueInteger

Observation Actions

Observation actions are performed by the Axon analytics subsystem.

Field Name

Canonical ID

Description

Mappable?Data Type

Observation Details

action.observation.json

A serialized JSON of all observations associated with the analytics rule.

FalseLong_Text

Observation Group

action.observation.key

An array of schema fields used in observation.

FalseString

Observation Group Num

action.observation.key_length

The length of the observation group array.

FalseInteger

Scan Actions

Scan actions describe scan activities performed by vulnerability management, EDR/MDR, and other related solutions.

Field Name

Canonical ID

Description

Mappable?Data Type

Scan ID

action.scan.id

An identifier assigned by the scanning engine to track the different phases of the scan.

TrueString

Scan Infections

action.scan.infected_files

The number of infected files or objects detected during the scan.

TrueInteger

Scan Items

action.scan.items_scanned

The number of files or objects scanned.

TrueInteger

Scan Omissions

action.scan.items_omitted

The number of files or objects excluded from the scan.

TrueInteger

Scan Threats

action.scan.threats_found

The number of threats detected during the scan.

TrueInteger

Scan Type

action.scan.type

The type of scan performed.

TrueString

Object Fields

Objects have unique sets of fields that are only relevant for a specific context.

General Object Field

Field Name

Canonical ID

Description

Mappable?Data Type

Object Type

object.type

The type of object identified within the message.

TrueString

Certificate Object Fields

Contains attributes tied to certificates found within messages.

Field Name

Canonical ID

Description

Mappable?Data Type

Cert Subject

object.certificate.subject

The Distinguished Name of the certificate.

TrueString

Cert Serial

object.certificate.serial_number

The unique serial number assigned to the certificate by the certification authority that issued the certificate.

TrueString

Cert Issuer

object.certificate.issuer

The Distinguished Name or Common Name of the certification authority that issued the certificate.

TrueString

Cert Issue Date

object.certificate.issue_date

The timestamp of when the certificate was issued by the certification authority.

TrueDate

Cert Exp Date

object.certificate.expiration_date

The timestamp of when the certificate expires and is no longer valid.

TrueDate
Cert Thumbprintobject.certificate.thumbprintAssigned to the thumbprint of the certificate.TrueString

Database Object Fields

Contains attributes for database and database table.

Field Name

Canonical ID

Description

Mappable?Data Type

Database ID

object.database.id

A unique ID to identify a database.

TrueString

Database Name

object.database.name

The name of the database.

TrueString

Database Instance

object.database.instance_name

An instance name of the database. This is frequently the same as the name attribute.

TrueString

Database Table ID

object.database.table.id

A unique ID to identify a database table.

TrueString

Database Table Name

object.database.table.name

The name of a database table.

TrueString

Device Object Fields

Contains attributes for devices that are not origin, target, or observer hosts.

Field Name

Canonical ID

Description

Mappable?Data Type

Device ID

object.device.id

A unique ID associated with the device object.

TrueString

Device Name

object.device.name

The name of the device.

TrueString

Device Type

object.device.type

The type of device.

TrueString

Device Serial

object.device.serial_number

The serial number of the device.

TrueString

Device Vendor

object.device.vendor_name

The vendor name of the device.

TrueString

Directory Object Fields

Contains attributes of directory objects such as those found within Microsoft Active Directory and other LDAP implementations.

Field Name

Canonical ID

Description

Mappable?Data Type

Directory Object ID

object.directory_object.distinguished_name

A unique ID associated with the directory object.

TrueString

Directory Object Name

object.directory_object.name

The name of the object. This is frequently represented as a DN.

TrueString

Directory Object Type

object.directory_object.type

The type of directory object.

TrueString

Directory Object DN

object.directory_object.distinguished_name

The Distinguished Name of the directory object.

TrueString

Domain Object Fields

These are used when a domain object is involved in an action.

Field Name

Canonical ID

Description

Mappable?Data Type

Domain ID

object.domain.id

A unique ID associated with the domain object.

TrueString

Domain Name

object.domain.name

The name of the domain object.

TrueString

Email Message Object Fields

Contains attributes of email messages, excluding those under the origin and target contexts.

Field Name

Canonical ID

Description

Mappable?Data Type

Email ID

object.email_message.id

A unique ID associated with the email message.

TrueString

Email Subject

object.email_message.subject

The subject of the email message.

TrueString

Email Header

object.email_message.smtp_header

The SMTP Header of the email message.

TrueLong_Text

Attachment MD5

object.email_message.file.hash.md5

The MD5 Hash of the email attachment.

TrueMD5

Attachment SHA1

object.email_message.file.hash.sha1

The SHA1 Hash of the email attachment.

TrueSHA1

Attachment SHA256

object.email_message.file.hash.sha256

The SHA256 Hash of the email attachment.

TrueSHA256

Attachment SHA512

object.email_message.file.hash.sha512

The SHA512 Hash of the email attachment.

TrueSHA512

Attachment Name

object.email_message.file.name

The name of the email attachment.

TrueString

Attachment Size

object.email_message.file.size

The size, in bytes, of the email attachment.

TrueInteger

Attachment Type

object.email_message.file.type

The type of the email attachment.

TrueString

File Object Fields

Contains attributes of file objects referenced within messages.

Field Name

Canonical ID

Description

Mappable?Data Type

File ID

object.file.id

A unique ID associated with the file object.

TrueString

File Name

object.file.name

The name, minus the path, of the file object.

TrueString

File Path

object.file.path

The path, minus the name, of the file object.

TrueString

File Size

object.file.size

The size, in bytes, of the file object.

TrueInteger

File Type

object.file.type

The type of the file object.

TrueString

File Version

object.file.version

The version of the file object.

TrueString

File Creation Time

object.file.creation_time

The timestamp when the file object was created.

TrueDate

File Last Access Time

object.file.last_accessed_time

The timestamp when the file object was last accessed.

TrueDate

File Modification Time

object.file.modification_time

The timestamp when the file object was modified.

TrueDate

File MD5

object.file.hash.md5

The MD5 Hash of the file object.

TrueMD5

File SHA1

object.file.hash.sha1

The SHA1 Hash of the file object.

TrueSHA1

File SHA256

object.file.hash.sha256

The SHA256 Hash of the file object.

TrueSHA256

File SHA512

object.file.hash.sha512

The SHA512 Hash of the file object.

TrueSHA512

File Signer

object.file.signature.signer

The digital signer of the file object.

TrueString

File Signature Status

object.file.signature.status

An indicator of whether the file object was digitally signed.

TrueString

File Signature Validity

object.file.signature.validity

The validity of the file object’s digital signature.

TrueString

Group Object Fields

These are used when a group is the object involved in an action.

Field Name

Canonical ID

Description

Mappable?Data Type

Group ID

object.group.id

A unique ID for the group object.

TrueString

Group Name

object.group.name

The name of the group object.

TrueString

Group Domain

object.group.domain

The domain to which the group object belongs.

TrueString

Interface Object Fields

These are used when a host interface is involved in an action. This is not relevant in the network traffic action context.

Field Name

Canonical ID

Description

Mappable?Data Type

Interface ID

object.interface.id

A unique ID for the interface object.

TrueString

Interface Name

object.interface.name

The name of the interface object.

TrueString

Interface Alias

object.interface.alias

An alias name for the interface object.

TrueString

Interface Mode

object.interface.mode

The networking mode of the interface object.

TrueString

Policy Object Fields

Contains attributes for policy objects referenced within messages.

Field Name

Canonical ID

Description

Mappable?Data Type

Policy ID

object.policy.id

A unique ID for the policy object.

TrueString

Policy Name

object.policy.name

The name of the policy object.

TrueString

Policy Group

object.policy.group

The group to which the policy object belongs.

TrueString

Process Object Fields

Contains attributes for processes referenced within messages.

Field Name

Canonical ID

Description

Mappable?Data Type

Process ID

object.process.id

A unique ID for the process object.

TrueString

Process Name

object.process.name

The name, minus the path, for the process object.

TrueString

Process Path

object.process.path

The path, minus the name, for the process object.

TrueString

Process Command Line

object.process.command_line

The full command line recorded when executing the process.

TrueLong_Text

Process Command Args

object.process.command_args

The arguments used when executing the process.

TrueLong_Text

Process MD5

object.process.hash.md5

The MD5 Hash of the process object.

TrueMD5

Process SHA1

object.process.hash.sha1

The SHA1 Hash of the process object.

TrueSHA1

Process SHA256

object.process.hash.sha256

The SHA256 Hash of the process object.

TrueSHA256

Process SHA512

object.process.hash.sha512

The SHA512 Hash of the process object.

TrueSHA512

Process Signer

object.process.signature.signer

The digital signer of the process object.

TrueString

Process Signature Status

object.process.signature.status

An indicator of whether the process object was digitally signed.

TrueString

Process Signature Validity

object.process.signature.validity

The validity of the process object’s digital signature.

TrueString

Parent Process ID

object.process.parent_process.id

A unique ID for the parent process object.

TrueString

Parent Process Name

object.process.parent_process.name

The name, minus the path, for the parent process object.

TrueString

Parent Process Path

object.process.parent_process.path

The path, minus the name, for the parent process object.

TrueString

Parent Process Command Line

object.process.parent_process.command_line

The full command line recorded when executing the parent process.

TrueLong_Text

Parent Process Command Args

object.process.parent_process.command_args

The arguments used when executing the parent process.

TrueLong_Text

Parent Process MD5

object.process.parent_process.hash.md5

The MD5 Hash of the parent process object.

TrueMD5

Parent Process SHA1

object.process.parent_process.hash.sha1

The SHA1 Hash of the parent process object.

TrueSHA1

Parent Process SHA256

object.process.parent_process.hash.sha256

The SHA256 Hash of the parent process object.

TrueSHA256

Parent Process SHA512

object.process.parent_process.hash.sha512

The SHA512 Hash of the parent process object.

TrueSHA512

Parent Process Signer

object.process.parent_process.signature.signer

The digital signer of the parent process object.

TrueString

Parent Process Signature Status

object.process.parent_process.signature.status

An indicator of whether the parent process object was digitally signed.

TrueString

Parent Process Signature Validity

object.process.parent_process.signature.validity

The validity of the parent process object’s digital signature.

TrueString

Registry Object Fields

Contains attributes for Microsoft Windows Registry objects.

Field Name

Canonical ID

Description

Mappable?Data Type

Registry Key ID

object.registry_object.id

A unique ID for the registry key object.

TrueString

Registry Key

object.registry_object.key

The name of the registry key object.

TrueString

Registry Key Path

object.registry_object.path

The full registry path to the key object.

TrueString

Registry Root

object.registry_object.root_key

The root-level key, also called a hive.

TrueString

Resource Object Fields

Contains attributes for resource objects. These are frequently identified within cloud-based platforms such as Microsoft Azure, Amazon AWS, and Google Cloud.

Field Name

Canonical ID

Description

Mappable?Data Type

Resource ID

object.resource.id

A unique ID for the resource object.

TrueString

Resource Name

object.resource.name

The name of the resource object.

TrueString
Resource Regionobject.resource.regionThe region assigned to a location/region for AWS and Azure Role Location.TrueString
Resource Typeobject.resource.typeThe type assigned to the Container.TrueString
Resource Groupobject.resource.groupThe group assigned to a Cluster Name, Kubernetes namespace or a container tag.TrueString

Rule Object Fields

Contains attributes for any rule objects referenced within messages.

Field Name

Canonical ID

Description

Mappable?Data Type

Rule ID

object.rule.id

A unique ID for the rule object.

TrueString

Rule Name

object.rule.name

The name of the rule object.

TrueString

Rule Group

object.rule.group

The group to which the rule object belongs.

TrueString

Scheduled Task Object Fields

Contains attributes for any scheduled task or Cron objects referenced within messages.

Field Name

Canonical ID

Description

Mappable?Data Type

Task Name

object.scheduled_task.name

The name of the task object.

TrueString

Task Run Account

object.scheduled_task.run_account

The account under which the task object runs.

TrueString

Task Logon Type

object.scheduled_task.logon_type

The authentication method used by the task account when running the task. This is part of Microsoft Windows Scheduled Tasks.

TrueString

Script Object Fields

Contains attributes for any Script objects referenced within messages.

Field Name

Canonical ID

Description

Mappable?Data Type

Script ID

object.script.id

A unique ID for the script object.

TrueString

Script Name

object.script.name

The name, minus the path, of the script object.

TrueString

Script Path

object.script.path

The path, minus the name, of the script object.

TrueString

Script Size

object.script.size

The size, in bytes, of the script object.

TrueInteger

Script Command Line

object.script.command_line

The full command line used to execute the script object.

TrueString

URL Object Fields

Contains attributes for any URL objects referenced within messages.

Field Name

Canonical ID

Description

Mappable?Data Type

Complete URL

object.url.complete

The full URL value from the message.

TrueURL

URL Category

object.url.category

The URL category as defined by the source.

TrueString

URL Type

object.url.type

The URL type (direct or referral) as defined by the source.

TrueString

URL Protocol

object.url.protocol

The protocol component of the URL object.

TrueString

URL Domain

object.url.domain

The domain component of the URL object.

TrueString

URL Port

object.url.port

The port component of the URL object.

TrueInteger

URL Path

object.url.path

The path component of the URL object.

TrueString

URL Query

object.url.query

The query component of the URL object.

TrueString

URL Fragment

object.url.fragment

The fragment component of the URL object.

TrueString

Threat Fields

These fields contain data relevant to threats detected by a log source. They can also be populated by Axon Analytics.

Field Name

Canonical ID

Description

Mappable?Data Type

Threat ID

threat.id

A unique ID for the threat object.

TrueString

Threat Name

threat.name

The name of the threat object. Typically a signature name.

TrueString

Threat Description

threat.description

A description of the threat.

TrueString

Threat Category

threat.category

The category of the threat assigned by the detection source.

TrueString

Threat Subcategory

threat.subcategory

The subcategory of the threat assigned by the detection source.

TrueString

Threat Severity

threat.severity

The severity of the threat. Separate from the general message severity.

TrueString

Threat CVE

threat.cve

The CVE(s) associated with the threat object. This field can also be populated through programmatic detection like unattributed fields.

TrueCVE

MITRE Tactic

threat.mitre_tactic

The MITRE ATT&CK tactic associated with the message.

TrueString

MITRE Technique

threat.mitre_technique

The MITRE ATT&CK technique associated with the message.

TrueString

Threat Evidence

threat.evidence

Any evidence provided by the detection system for the threat.

TrueString

Threat Detection Engine

threat.detection_engine

The engine, process, or service used to detect the threat.

TrueString

Threat Source

threat.source

The source of the detected threat.

TrueString

Threat Run Status

threat.run_status

An indicator of whether the detected threat is actively running on the target.

TrueString

Vendor Information Fields

These fields contain additional context as defined by the source, but are outside the context of the other containers.

Field Name

Canonical ID

Description

Mappable?Data Type

Vendor Message ID

vendor_information.id

A unique ID generated by the source that identifies the type of message.

TrueString

Vendor Description

vendor_information.description

A general description of the message provided by the source.

TrueString

Vendor Severity

vendor_information.severity

The severity of the message. This is separate from the threat severity.

TrueString

Vendor Log Type

vendor_information.log_type

A high-level category of the message assigned by the source.

TrueString

Vendor Log Subtype

vendor_information.log_subtype

A low-level category of the message assigned by the source.

TrueString

Vendor Ext Link

vendor_information.external_link

A link to the external system that generated the message. This is commonly used in alerting systems to provide a link back to the alert within the source.

TrueLong_Text

Vendor Ext ID

vendor_information.external_id

An ID generated by the source that traces back to an alert, case, or similar construct.

TrueString

Log Gen Time

vendor_information.log_generation_time

The timestamp that identifies when the message was generated by the source.

TrueDate

General Information Fields

These fields are all assigned by the Axon system as part of message processing.

Field Name

Canonical ID

Description

Mappable?Data Type

Common Event

general_information.common_event

A set of one or more easily understood tags assigned by Axon to describe the message.

FalseString

Standard Time

general_information.standard_message_time

A timestamp taken from the various timestamps in the message that most closely matches when the message was generated.

FalseDate

Standard Time Confidence

general_information.standard_time_confidence

The confidence value (High, Medium, Low) in the value of Standard Time being the time the message was generated.

FalseString

Collection Time

general_information.collection_time

The timestamp matching when the message was collected by Axon.

FalseDate

Processing Start Time

general_information.processing_start_time

The timestamp matching when Axon started processing the message.

FalseDate

Processing End Time

general_information.processing_end_time

The timestamp matching when Axon finished processing the message.

FalseDate

Message ID

general_information.message_id

A unique ID generated by Axon and assigned to the message.

FalseString
Message Group IDgeneral_information.message_group_idA unique ID generated by Axon and assigned during clustering/grouping.FalseString
Message Tagsgeneral_information.tagsThis field is currently reserved for future use.FalseString

Tenant ID

general_information.tenant_id

The unique ID of the Axon tenant.

FalseString
Exception Keygeneral_information.exception.keyThe name of the exception key generated during signal processing, used for internal diagnostics.FalseString
Exception Messagegeneral_information.exception.messageThe full exception message generated during signal processing, used for internal diagnostics.FalseString
Exception Codegeneral_information.exception.codeThe unique exception code generated during signal processing, used for internal diagnostics.FalseString

Raw Message

general_information.raw_message

The full raw message received by the collector.

FalseLong_Text

Raw Message Size

general_information.raw_message_size

The size of the raw message in bytes.

FalseInteger

Log Source ID

general_information.log_source.id

A unique ID assigned by Axon to the message source.

FalseString

Log Source

general_information.log_source.name

The name of the log source.

FalseString

Log Source Type ID

general_information.log_source.type_id

A unique ID assigned by Axon to the log source type.

FalseString

Log Source Type

general_information.log_source.type_name

The name of the log source type.

FalseString

Processing Policy ID

general_information.processing_information.message_processing_policy_id

A unique ID assigned by Axon to the Message Processing Policy that processed the message.

FalseString

Processing Policy Name

general_information.processing_information.message_processing_policy_name

The name of the Message Processing Policy that processed the message.

FalseString

Processing Policy Version

general_information.processing_information.message_processing_policy_version

The version of the Message Processing Policy that processed the message.

FalseString

Processing Schema Version

general_information.processing_information.schema_version

The version of the data schema used when processing the message.

FalseString

Collector ID

general_information.transit_path.collector_id

A unique ID assigned by Axon to the Collector that collected the message.

FalseString

Transit Path

general_information.transit_path.complete

The complete transit path the message took formatted in JSON.

FalseLong_Text
Truncated Original Message Sizegeneral_information.original_message_size

The original size, in bytes, of a message that was truncated due to exceeding the maximum size limit per message. The size of the log after being truncated will appear in the Raw Message Size field. For more information, refer to the Maximum Log Size section of the Message Processing documentation.

FalseString

Unattributed Fields

These fields contain data that was programmatically detected by Axon without using a Message Processing Policy.

Field Name

Canonical ID

Description

Mappable?Data Type

Account Email

unattributed.account.email_address

A list of any email addresses detected in the message.

FalseEmail
Account Identity IDunattributed.account.identity.idThis field is currently reserved for future use.FalseString
Account Identity Nameunattributed.account.identity.nameThis field is currently reserved for future use.FalseString
Account Identity Tagsunattributed.account.identity.tagsThis field is currently reserved for future use.FalseString

MD5 Hash

unattributed.hash.md5

A list of any MD5 Hashes detected in the message.

FalseMD5

SHA1 Hash

unattributed.hash.sha1

A list of any SHA1 Hashes detected in the message.

FalseSHA1

SHA256 Hash

unattributed.hash.sha256

A list of any SHA256 Hashes detected in the message.

FalseSHA256

SHA512 Hash

unattributed.hash.sha512

A list of any SHA512 Hashes detected in the message.

FalseSHA512
Host Identity IDunattributed.host.identity.idThis field is currently reserved for future use.FalseString
Host Identity Nameunattributed.host.identity.nameThis field is currently reserved for future use.FalseString
Host Identity Tagsunattributed.host.identity.tagsThis field is currently reserved for future use.FalseString

Host IP

unattributed.host.ip_address.value

A list of any IP addresses detected in the message.

FalseIP

Host City

unattributed.host.location.city

The resolved geographic city of the IP addresses detected in the message.

FalseString

Host Region/State

unattributed.host.location.region

The resolved geographic region or state of the IP addresses detected in the message.

FalseString

Host Country

unattributed.host.location.country

The resolved geographic country of the IP addresses detected in the message.

FalseString

Host Geo

unattributed.host.location.geo_location

The resolved geographic coordinates (latitude/longitude) of the IP addresses detected in the message.

FalseGeo_Point

Host MAC

unattributed.host.mac_address

A list of any MAC addresses detected in the message.

FalseMAC

Host Name

unattributed.host.name

The resolved hostname of the IP addresses detected in the message.

FalseString
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.